Split VPN
|
Posts: 1,646
Threads: 2
Joined: Aug 2015
Reputation:
42
[Solved]
Aug 06, 2016, 08:05 PM
Much appreciated @johnvick
Posts: 15
Threads: 3
Joined: Aug 2016
Reputation:
4
[Solved]
Aug 10, 2016, 07:29 PM
(Aug 02, 2016, 10:56 AM)drake Wrote: Ok, let me know the output of the commands I asked, then we will see. I might not be able to reply soon, as I'm on the road.
For dns you need to install resolvconf on Debian, amd make sure you don't have static ip set on RPi, but on the router.
apt-get install resolvconf
We will know more one I see your answer.
Sent from my Xperia Z3 Compact using Tapatalk
What is the reason you need to set IP on router instead of on RPi?
Posts: 1,646
Threads: 2
Joined: Aug 2015
Reputation:
42
[Solved]
Aug 10, 2016, 08:19 PM
@sharkaccident just so you know @drake is on vacation with unreliable internet but he will answer when he has time and connection.
I believe he means setting up a static/reserved DHCP IP for the Raspberry Pi on the router. You can do this by MAC address usually so the router always give the device the same IP.
The alternative is to set a static IP on the Pi itself which could cause issues.
Posts: 215
Threads: 25
Joined: Aug 2015
Reputation:
26
[Solved]
Aug 10, 2016, 08:29 PM
(This post was last modified: Aug 10, 2016, 08:31 PM by Yveske.)
(Aug 10, 2016, 07:29 PM)sharkaccident Wrote: What is the reason you need to set IP on router instead of on RPi?
@sharkaccident if you set your static ip on your RPI, resolvconf will not resolve your dns addresses. So for this reason you should give your RPI a static ip with your router.
That McNugget sauce. I want that Mulan McNugget sauce, Morty. That's my series arc, Morty! If it takes nine seasons!
Posts: 244
Threads: 1
Joined: Jul 2016
Reputation:
12
[Solved]
Aug 10, 2016, 08:53 PM
(Aug 10, 2016, 08:19 PM)Mike Wrote: @sharkaccident just so you know @drake is on vacation with unreliable internet but he will answer when he has time and connection.
I believe he means setting up a static/reserved DHCP IP for the Raspberry Pi on the router. You can do this by MAC address usually so the router always give the device the same IP.
The alternative is to set a static IP on the Pi itself which could cause issues.
Thanks @Mike
@Yveske tested the guide on Minibian, and he reported that setting static ip on Minibian conflicts with resolvconf changing your DNS to VPN (or your trusted) DNS address to prevent DNS leaks. Like Mike said, you should set the static IP for your RPi on your router (by using MAC address).
I prefer (and it is advisable) to control IP's from your router anyway.
I hope it helps!
Posts: 15
Threads: 3
Joined: Aug 2016
Reputation:
4
[Solved]
Aug 11, 2016, 03:18 AM
(This post was last modified: Aug 11, 2016, 03:44 AM by sharkaccident.)
@Mike / @Drake thanks for the clarification. I have been struggling with this split tunnel thing for about two weeks now. I am working off of Miniban.
iptables-save:
Code:
root@minibian:~# iptables-save
# Generated by iptables-save v1.4.21 on Thu Aug 11 02:37:55 2016
*filter
:INPUT ACCEPT [1380:100431]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [397:42136]
-A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT -o tun0 -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT ! -s 192.168.0.10/32 -o eth0 -j REJECT --reject-with icmp-port-unreach able
COMMIT
# Completed on Thu Aug 11 02:37:55 2016
# Generated by iptables-save v1.4.21 on Thu Aug 11 02:37:55 2016
*mangle
:PREROUTING ACCEPT [1494:121260]
:INPUT ACCEPT [1380:100431]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [402:42976]
:POSTROUTING ACCEPT [402:42976]
-A OUTPUT -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A OUTPUT ! -d 192.168.0.10/32 -m owner --uid-owner 1001 -j MARK --set-xmark 0x1 /0xffffffff
-A OUTPUT -d 192.168.0.10/32 -p udp -m udp --dport 53 -m owner --uid-owner 1001 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT -d 192.168.0.10/32 -p tcp -m tcp --dport 53 -m owner --uid-owner 1001 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT ! -s 192.168.0.10/32 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
COMMIT
# Completed on Thu Aug 11 02:37:55 2016
# Generated by iptables-save v1.4.21 on Thu Aug 11 02:37:55 2016
*nat
:PREROUTING ACCEPT [190:31354]
:INPUT ACCEPT [76:10525]
:OUTPUT ACCEPT [17:1045]
:POSTROUTING ACCEPT [17:1045]
-A POSTROUTING -o tun0 -j MASQUERADE
COMMIT
# Completed on Thu Aug 11 02:37:55 2016
ip route show table vpn:
Code:
root@minibian:~# sudo ip route show table vpn
default via 127.0.0.1 dev lo
/proc/sys/net/ipv4/conf/{all,default,eth0}/rp_filter
Code:
cat /proc/sys/net/ipv4/conf/{all,default,eth0}/rp_filter
2
2
2
iptables -L
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere owner UID match vpn
ACCEPT all -- anywhere anywhere owner UID match vpn
REJECT all -- !192.168.0.10 anywhere reject-with icmp-port-unreachable
iptables -S
Code:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT -o tun0 -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT ! -s 192.168.0.10/32 -o eth0 -j REJECT --reject-with icmp-port-unreachable
when I curl ipinfo.io for vpn user:
Code:
root@minibian:~# sudo -u vpn -i -- curl ipinfo.io
curl: (6) Could not resolve host: ipinfo.io
when I curl ipinfo.io I get a typical response with my ISP information.
I think I am getting onto something here:
Code:
sudo -u vpn -i -- cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.168.0.5
nameserver 8.8.8.8
nameserver 192.168.0.1
hmmm don't see the issue of why it is not working:
Code:
root@minibian:/etc/openvpn# cat update-resolv-conf
#!/bin/bash
#
# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
#
# Used snippets of resolvconf script by Thomas Hood and Chris Hanson.
# Licensed under the GNU GPL. See /usr/share/common-licenses/GPL.
#
# Example envs set from openvpn:
#
foreign_option_1='dhcp-option DNS 209.222.18.222'
foreign_option_2='dhcp-option DNS 209.222.18.218'
foreign_option_3='dhcp-option DNS 8.8.8.8'
#
[ -x /sbin/resolvconf ] || exit 0
[ "$script_type" ] || exit 0
[ "$dev" ] || exit 0
split_into_parts()
{
part1="$1"
part2="$2"
part3="$3"
}
case "$script_type" in
up)
NMSRVRS=""
SRCHS=""
for optionvarname in ${!foreign_option_*} ; do
option="${!optionvarname}"
echo "$option"
split_into_parts $option
if [ "$part1" = "dhcp-option" ] ; then
if [ "$part2" = "DNS" ] ; then
NMSRVRS="${NMSRVRS:+$NMSRVRS }$part3"
elif [ "$part2" = "DOMAIN" ] ; then
SRCHS="${SRCHS:+$SRCHS }$part3"
fi
fi
done
R=""
[ "$SRCHS" ] && R="search $SRCHS
"
for NS in $NMSRVRS ; do
R="${R}nameserver $NS
"
done
echo -n "$R" | /sbin/resolvconf -a "${dev}.openvpn"
;;
down)
/sbin/resolvconf -d "${dev}.openvpn"
;;
esac
Posts: 244
Threads: 1
Joined: Jul 2016
Reputation:
12
[Solved]
Aug 11, 2016, 06:10 AM
(Aug 11, 2016, 03:18 AM)sharkaccident Wrote: @Mike / @Drake thanks for the clarification. I have been struggling with this split tunnel thing for about two weeks now. I am working off of Miniban.
iptables-save:
Code:
root@minibian:~# iptables-save
# Generated by iptables-save v1.4.21 on Thu Aug 11 02:37:55 2016
*filter
:INPUT ACCEPT [1380:100431]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [397:42136]
-A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT -o tun0 -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT ! -s 192.168.0.10/32 -o eth0 -j REJECT --reject-with icmp-port-unreach able
COMMIT
# Completed on Thu Aug 11 02:37:55 2016
# Generated by iptables-save v1.4.21 on Thu Aug 11 02:37:55 2016
*mangle
:PREROUTING ACCEPT [1494:121260]
:INPUT ACCEPT [1380:100431]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [402:42976]
:POSTROUTING ACCEPT [402:42976]
-A OUTPUT -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A OUTPUT ! -d 192.168.0.10/32 -m owner --uid-owner 1001 -j MARK --set-xmark 0x1 /0xffffffff
-A OUTPUT -d 192.168.0.10/32 -p udp -m udp --dport 53 -m owner --uid-owner 1001 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT -d 192.168.0.10/32 -p tcp -m tcp --dport 53 -m owner --uid-owner 1001 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT ! -s 192.168.0.10/32 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
COMMIT
# Completed on Thu Aug 11 02:37:55 2016
# Generated by iptables-save v1.4.21 on Thu Aug 11 02:37:55 2016
*nat
:PREROUTING ACCEPT [190:31354]
:INPUT ACCEPT [76:10525]
:OUTPUT ACCEPT [17:1045]
:POSTROUTING ACCEPT [17:1045]
-A POSTROUTING -o tun0 -j MASQUERADE
COMMIT
# Completed on Thu Aug 11 02:37:55 2016
ip route show table vpn:
Code:
root@minibian:~# sudo ip route show table vpn
default via 127.0.0.1 dev lo
/proc/sys/net/ipv4/conf/{all,default,eth0}/rp_filter
Code:
cat /proc/sys/net/ipv4/conf/{all,default,eth0}/rp_filter
2
2
2
iptables -L
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere owner UID match vpn
ACCEPT all -- anywhere anywhere owner UID match vpn
REJECT all -- !192.168.0.10 anywhere reject-with icmp-port-unreachable
iptables -S
Code:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT -o tun0 -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT ! -s 192.168.0.10/32 -o eth0 -j REJECT --reject-with icmp-port-unreachable
when I curl ipinfo.io for vpn user:
Code:
root@minibian:~# sudo -u vpn -i -- curl ipinfo.io
curl: (6) Could not resolve host: ipinfo.io
when I curl ipinfo.io I get a typical response with my ISP information.
I think I am getting onto something here:
Code:
sudo -u vpn -i -- cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.168.0.5
nameserver 8.8.8.8
nameserver 192.168.0.1
hmmm don't see the issue of why it is not working:
Code:
root@minibian:/etc/openvpn# cat update-resolv-conf
#!/bin/bash
#
# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
#
# Used snippets of resolvconf script by Thomas Hood and Chris Hanson.
# Licensed under the GNU GPL. See /usr/share/common-licenses/GPL.
#
# Example envs set from openvpn:
#
foreign_option_1='dhcp-option DNS 209.222.18.222'
foreign_option_2='dhcp-option DNS 209.222.18.218'
foreign_option_3='dhcp-option DNS 8.8.8.8'
#
[ -x /sbin/resolvconf ] || exit 0
[ "$script_type" ] || exit 0
[ "$dev" ] || exit 0
split_into_parts()
{
part1="$1"
part2="$2"
part3="$3"
}
case "$script_type" in
up)
NMSRVRS=""
SRCHS=""
for optionvarname in ${!foreign_option_*} ; do
option="${!optionvarname}"
echo "$option"
split_into_parts $option
if [ "$part1" = "dhcp-option" ] ; then
if [ "$part2" = "DNS" ] ; then
NMSRVRS="${NMSRVRS:+$NMSRVRS }$part3"
elif [ "$part2" = "DOMAIN" ] ; then
SRCHS="${SRCHS:+$SRCHS }$part3"
fi
fi
done
R=""
[ "$SRCHS" ] && R="search $SRCHS
"
for NS in $NMSRVRS ; do
R="${R}nameserver $NS
"
done
echo -n "$R" | /sbin/resolvconf -a "${dev}.openvpn"
;;
down)
/sbin/resolvconf -d "${dev}.openvpn"
;;
esac
Sorry to hear that ot is still not working for you. I can confirm that it works on Minibian, so we need to further troubleshoot your setup. As Mike said, I'm with limited internet now, but when I rwturn home I will take a look at this. In the meantime, maybe others who have a working vpn split tunnel on Minibian will be able to help you. Male sure you don't have static ip set on Minibian but from the router. Looking from phone, the output looks fine to me, except the dns, but curl ip for vpn user should work.
We will definitely have a guide for Minibian in short time.
Until then, I hope someone from the forum will be able to help you, who already have it working on Minibian.
Sent from my Xperia Z3 Compact using Tapatalk
Posts: 1,646
Threads: 2
Joined: Aug 2015
Reputation:
42
[Solved]
Aug 11, 2016, 06:48 AM
@sharkaccident is this Pi device running anything else? pihole maybe?
It seems to be DNS is not working for the vpn user even though you have Google's DNS listed in resolv.conf. Let's check if the split tunnel is working without DNS
Code:
sudo -u vpn -i -- curl 52.58.218.7
Posts: 140
Threads: 13
Joined: Jan 2016
Reputation:
26
[Solved]
Aug 11, 2016, 10:37 AM
I got it working on minibian, in this thread. Are you sure your login credentials are correct? Check /var/log/syslog for errors.
Sent from my iPhone using Tapatalk
Posts: 15
Threads: 3
Joined: Aug 2016
Reputation:
4
[Solved]
Aug 11, 2016, 02:09 PM
(Aug 11, 2016, 06:48 AM)Mike Wrote: @sharkaccident is this Pi device running anything else? pihole maybe?
It seems to be DNS is not working for the vpn user even though you have Google's DNS listed in resolv.conf. Let's check if the split tunnel is working without DNS
Code:
sudo -u vpn -i -- curl 52.58.218.7
I think we are getting close here:
Code:
sudo -u vpn -i -- curl 52.58.218.7
curl: (7) Failed to connect to 52.58.218.7 port 80: Connection timed out
Yes I am running a pihole on a different RPi. Here is my current network setup:
Router (192.168.0.1) provides DHCP with DNS settings for 192.168.0.5 (pihole) backup as 8.8.8.8.
PiHole is static set on device with ip of 192.168.0.5
VpnRpi is manually assigned IP from router (192.168.0.10). I thought the update-resolv-conf was to override DHCP assigned DNS with the ones you specify in the guide..
var/log/syslog
Code:
Aug 11 02:20:49 minibian ovpn-openvpn[408]: /etc/openvpn/update-resolv-conf tun0 1500 1558 10.121.1.6 10.121.1.5 init
Aug 11 02:20:49 minibian systemd[1]: openvpn@openvpn.service: main process exite d, code=exited, status=1/FAILURE
Aug 11 02:20:49 minibian systemd[1]: Unit openvpn@openvpn.service entered failed state.
Aug 11 02:20:50 minibian ntpd[372]: Deleting interface #6 tun0, 10.121.1.6#123, interface stats: received=0, sent=0, dropped=0, active_time=99 secs
|
|
Recent Posts
|
About Swap
jonescelinaa Apr 10, 2024, 06:58 AM
|
Tracker Status: Error Connection Time Out
jonesPhedra Apr 04, 2024, 08:17 AM
|
Split Tunnel Docker Containers
jonesPhedra Mar 27, 2024, 03:10 AM
|
Plex server not powerful enough, but only with s...
jonesPhedra Mar 27, 2024, 03:02 AM
|
game Geometry Dash Scratch
jonescelinaa Jan 31, 2024, 04:21 AM
|
Latest unread posts | Unanswered posts |
|